From 01db8d59c8bcf69d9c375c7f9c8e1f1d03498c00 Mon Sep 17 00:00:00 2001
From: Kristóf Marussy <kristof@marussy.com>
Date: Sat, 24 Feb 2024 01:13:00 +0100
Subject: fix(web): CSP for SVG rasterization

We have to allow img-src blob: to be able to rasterize SVG files by loading
their blobs as object URLs into <img> objects.

Also fixes font-style for PNG export.
---
 .../main/java/tools/refinery/language/web/SecurityHeadersFilter.java  | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'subprojects/language-web')

diff --git a/subprojects/language-web/src/main/java/tools/refinery/language/web/SecurityHeadersFilter.java b/subprojects/language-web/src/main/java/tools/refinery/language/web/SecurityHeadersFilter.java
index cc87917f..19eeeff3 100644
--- a/subprojects/language-web/src/main/java/tools/refinery/language/web/SecurityHeadersFilter.java
+++ b/subprojects/language-web/src/main/java/tools/refinery/language/web/SecurityHeadersFilter.java
@@ -20,8 +20,8 @@ public class SecurityHeadersFilter implements Filter {
 					// CodeMirror needs inline styles, see e.g.,
 					// https://discuss.codemirror.net/t/inline-styles-and-content-security-policy/1311/2
 					"style-src 'self' 'unsafe-inline'; " +
-					// Use 'data:' for displaying inline SVG backgrounds.
-					"img-src 'self' data:; " +
+					// Use 'data:' for displaying inline SVG backgrounds and blob for rendering SVG.
+					"img-src 'self' data: blob:; " +
 					"font-src 'self'; " +
 					// Fetch data:application/octet-stream;base64 URIs to unpack compressed URL fragments.
 					"connect-src 'self' data:; " +
-- 
cgit v1.2.3-54-g00ecf